feat: secure skill env setup on load (core #688)

When a skill declares required_environment_variables in its YAML
frontmatter, missing env vars trigger a secure TUI prompt (identical
to the sudo password widget) when the skill is loaded. Secrets flow
directly to ~/.hermes/.env, never entering LLM context.

Key changes:
- New required_environment_variables frontmatter field for skills
- Secure TUI widget (masked input, 120s timeout)
- Gateway safety: messaging platforms show local setup guidance
- Legacy prerequisites.env_vars normalized into new format
- Remote backend handling: conservative setup_needed=True
- Env var name validation, file permissions hardened to 0o600
- Redact patterns extended for secret-related JSON fields
- 12 existing skills updated with prerequisites declarations
- ~48 new tests covering skip, timeout, gateway, remote backends
- Dynamic panel widget sizing (fixes hardcoded width from original PR)

Cherry-picked from PR #723 by kshitijk4poor, rebased onto current main
with conflict resolution.

Fixes #688

Co-authored-by: kshitijk4poor <kshitijk4poor@users.noreply.github.com>

tests/gateway/test_platform_base.py

@@ -5,11 +5,19 @@ from unittest.mock import patch
 
 from gateway.platforms.base import (
     BasePlatformAdapter,
+    GATEWAY_SECRET_CAPTURE_UNSUPPORTED_MESSAGE,
     MessageEvent,
     MessageType,
 )
 
 
+class TestSecretCaptureGuidance:
+    def test_gateway_secret_capture_message_points_to_local_setup(self):
+        message = GATEWAY_SECRET_CAPTURE_UNSUPPORTED_MESSAGE
+        assert "hermes setup" in message.lower()
+        assert "~/.hermes/.env" in message
+
+
 # ---------------------------------------------------------------------------
 # MessageEvent — command parsing
 # ---------------------------------------------------------------------------
@@ -259,13 +267,22 @@ class TestExtractMedia:
 class TestTruncateMessage:
     def _adapter(self):
         """Create a minimal adapter instance for testing static/instance methods."""
+
         class StubAdapter(BasePlatformAdapter):
-            async def connect(self): return True
-            async def disconnect(self): pass
-            async def send(self, *a, **kw): pass
-            async def get_chat_info(self, *a): return {}
+            async def connect(self):
+                return True
+
+            async def disconnect(self):
+                pass
+
+            async def send(self, *a, **kw):
+                pass
+
+            async def get_chat_info(self, *a):
+                return {}
 
         from gateway.config import Platform, PlatformConfig
+
         config = PlatformConfig(enabled=True, token="test")
         return StubAdapter(config=config, platform=Platform.TELEGRAM)
 
@@ -313,10 +330,10 @@ class TestTruncateMessage:
         chunks = adapter.truncate_message(msg, max_length=300)
         if len(chunks) > 1:
             # At least one continuation chunk should reopen with ```javascript
-            reopened_with_lang = any(
-                "```javascript" in chunk for chunk in chunks[1:]
+            reopened_with_lang = any("```javascript" in chunk for chunk in chunks[1:])
+            assert reopened_with_lang, (
+                "No continuation chunk reopened with language tag"
             )
-            assert reopened_with_lang, "No continuation chunk reopened with language tag"
 
     def test_continuation_chunks_have_balanced_fences(self):
         """Regression: continuation chunks must close reopened code blocks."""
@@ -336,7 +353,9 @@ class TestTruncateMessage:
         max_len = 200
         chunks = adapter.truncate_message(msg, max_length=max_len)
         for i, chunk in enumerate(chunks):
-            assert len(chunk) <= max_len + 20, f"Chunk {i} too long: {len(chunk)} > {max_len}"
+            assert len(chunk) <= max_len + 20, (
+                f"Chunk {i} too long: {len(chunk)} > {max_len}"
+            )
 
 
 # ---------------------------------------------------------------------------